Google Git
Sign in
chromium / external / github.com / prometheus / common / refs/heads/mem/secret_loader / . / config / http_config.go
blob: 2b82458fda8bf3636df71d6edb0ea97add55b013 [file] [log] [blame]
// Copyright 2016 The Prometheus Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//go:build go1.8
// +build go1.8
package config
import (
"bytes"
"context"
"crypto/sha256"
"crypto/tls"
"crypto/x509"
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"net"
"net/http"
"net/url"
"os"
"strings"
"sync"
"time"
"github.com/mwitkow/go-conntrack"
"golang.org/x/net/http2"
"golang.org/x/oauth2"
"golang.org/x/oauth2/clientcredentials"
"gopkg.in/yaml.v2"
)
// DefaultHTTPClientConfig is the default HTTP client configuration.
var DefaultHTTPClientConfig = HTTPClientConfig{
FollowRedirects: true,
}
// defaultHTTPClientOptions holds the default HTTP client options.
var defaultHTTPClientOptions = httpClientOptions{
keepAlivesEnabled: true,
http2Enabled: true,
// 5 minutes is typically above the maximum sane scrape interval. So we can
// use keepalive for all configurations.
idleConnTimeout: 5 * time.Minute,
}
type closeIdler interface {
CloseIdleConnections()
}
// BasicAuth contains basic HTTP authentication credentials.
type BasicAuth struct {
Username string `yaml:"username" json:"username"`
Password SecretLoader `yaml:"password,omitempty" json:"password,omitempty"`
PasswordFile string `yaml:"password_file,omitempty" json:"password_file,omitempty"`
}
// SetDirectory joins any relative file paths with dir.
func (a *BasicAuth) SetDirectory(dir string) {
if a == nil {
return
}
a.PasswordFile = JoinDir(dir, a.PasswordFile)
a.Password.SetFile(a.PasswordFile)
}
// Authorization contains HTTP authorization credentials.
type Authorization struct {
Type string `yaml:"type,omitempty" json:"type,omitempty"`
Credentials SecretLoader `yaml:"credentials,omitempty" json:"credentials,omitempty"`
CredentialsFile string `yaml:"credentials_file,omitempty" json:"credentials_file,omitempty"`
}
// SetDirectory joins any relative file paths with dir.
func (a *Authorization) SetDirectory(dir string) {
if a == nil {
return
}
a.CredentialsFile = JoinDir(dir, a.CredentialsFile)
a.Credentials.SetFile(a.CredentialsFile)
}
// URL is a custom URL type that allows validation at configuration load time.
type URL struct {
*url.URL
}
// UnmarshalYAML implements the yaml.Unmarshaler interface for URLs.
func (u *URL) UnmarshalYAML(unmarshal func(interface{}) error) error {
var s string
if err := unmarshal(&s); err != nil {
return err
}
urlp, err := url.Parse(s)
if err != nil {
return err
}
u.URL = urlp
return nil
}
// MarshalYAML implements the yaml.Marshaler interface for URLs.
func (u URL) MarshalYAML() (interface{}, error) {
if u.URL != nil {
return u.Redacted(), nil
}
return nil, nil
}
// Redacted returns the URL but replaces any password with "xxxxx".
func (u URL) Redacted() string {
if u.URL == nil {
return ""
}
ru := *u.URL
if _, ok := ru.User.Password(); ok {
// We can not use secretToken because it would be escaped.
ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
}
return ru.String()
}
// UnmarshalJSON implements the json.Marshaler interface for URL.
func (u *URL) UnmarshalJSON(data []byte) error {
var s string
if err := json.Unmarshal(data, &s); err != nil {
return err
}
urlp, err := url.Parse(s)
if err != nil {
return err
}
u.URL = urlp
return nil
}
// MarshalJSON implements the json.Marshaler interface for URL.
func (u URL) MarshalJSON() ([]byte, error) {
if u.URL != nil {
return json.Marshal(u.URL.String())
}
return []byte("null"), nil
}
// OAuth2 is the oauth2 client configuration.
type OAuth2 struct {
ClientID string `yaml:"client_id" json:"client_id"`
ClientSecret SecretLoader `yaml:"client_secret" json:"client_secret"`
ClientSecretFile string `yaml:"client_secret_file" json:"client_secret_file"`
Scopes []string `yaml:"scopes,omitempty" json:"scopes,omitempty"`
TokenURL string `yaml:"token_url" json:"token_url"`
EndpointParams map[string]string `yaml:"endpoint_params,omitempty" json:"endpoint_params,omitempty"`
}
// SetDirectory joins any relative file paths with dir.
func (a *OAuth2) SetDirectory(dir string) {
if a == nil {
return
}
a.ClientSecretFile = JoinDir(dir, a.ClientSecretFile)
a.ClientSecret.SetFile(a.ClientSecretFile)
}
func (a *OAuth2) UnmarshalYAML(unmarshal func(interface{}) error) error {
type plain OAuth2
*a = OAuth2{}
if err := unmarshal((*plain)(a)); err != nil {
return err
}
if err := validateSecret("oauth2 client_secret", a.ClientSecret, "client_secret_file", a.ClientSecretFile); err != nil {
return err
}
a.ClientSecret.SetFile(a.ClientSecretFile)
return nil
}
// HTTPClientConfig configures an HTTP client.
type HTTPClientConfig struct {
// The HTTP basic authentication credentials for the targets.
BasicAuth *BasicAuth `yaml:"basic_auth,omitempty" json:"basic_auth,omitempty"`
// The HTTP authorization credentials for the targets.
Authorization *Authorization `yaml:"authorization,omitempty" json:"authorization,omitempty"`
// The OAuth2 client credentials used to fetch a token for the targets.
OAuth2 *OAuth2 `yaml:"oauth2,omitempty" json:"oauth2,omitempty"`
// The bearer token for the targets. Deprecated in favour of
// Authorization.Credentials.
BearerToken SecretLoader `yaml:"bearer_token,omitempty" json:"bearer_token,omitempty"`
// The bearer token file for the targets. Deprecated in favour of
// Authorization.CredentialsFile.
BearerTokenFile string `yaml:"bearer_token_file,omitempty" json:"bearer_token_file,omitempty"`
// HTTP proxy server to use to connect to the targets.
ProxyURL URL `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"`
// TLSConfig to use to connect to the targets.
TLSConfig TLSConfig `yaml:"tls_config,omitempty" json:"tls_config,omitempty"`
// FollowRedirects specifies whether the client should follow HTTP 3xx redirects.
// The omitempty flag is not set, because it would be hidden from the
// marshalled configuration when set to false.
FollowRedirects bool `yaml:"follow_redirects" json:"follow_redirects"`
}
// SetDirectory joins any relative file paths with dir.
func (c *HTTPClientConfig) SetDirectory(dir string) {
if c == nil {
return
}
c.TLSConfig.SetDirectory(dir)
c.BasicAuth.SetDirectory(dir)
c.Authorization.SetDirectory(dir)
c.OAuth2.SetDirectory(dir)
c.BearerTokenFile = JoinDir(dir, c.BearerTokenFile)
c.BearerToken.SetFile(c.BearerTokenFile)
}
// Validate validates the HTTPClientConfig to check only one of BearerToken,
// BasicAuth and BearerTokenFile is configured.
func (c *HTTPClientConfig) Validate() error {
// Backwards compatibility with the bearer_token field.
if err := validateSecret("bearer_token", c.BearerToken, "bearer_token_file", c.BearerTokenFile); err != nil {
return err
}
if (c.BasicAuth != nil || c.OAuth2 != nil) && c.BearerToken.IsSet() {
return fmt.Errorf("at most one of basic_auth, oauth2, bearer_token & bearer_token_file must be configured")
}
if c.BasicAuth != nil {
err := validateSecret("basic_auth password", c.BasicAuth.Password, "password_file", c.BasicAuth.PasswordFile)
if err != nil {
return err
}
}
if c.Authorization != nil {
if c.BearerToken.IsSet() {
return fmt.Errorf("authorization is not compatible with bearer_token & bearer_token_file")
}
err := validateSecret("authorization credentials", c.Authorization.Credentials, "credentials_file", c.Authorization.CredentialsFile)
if err != nil {
return err
}
c.Authorization.Type = strings.TrimSpace(c.Authorization.Type)
if len(c.Authorization.Type) == 0 {
c.Authorization.Type = "Bearer"
}
if strings.ToLower(c.Authorization.Type) == "basic" {
return fmt.Errorf(`authorization type cannot be set to "basic", use "basic_auth" instead`)
}
if c.BasicAuth != nil || c.OAuth2 != nil {
return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured")
}
} else {
if c.BearerToken.IsSet() {
c.Authorization = &Authorization{Credentials: c.BearerToken}
c.Authorization.Type = "Bearer"
}
}
if c.OAuth2 != nil {
if c.BasicAuth != nil {
return fmt.Errorf("at most one of basic_auth, oauth2 & authorization must be configured")
}
if len(c.OAuth2.ClientID) == 0 {
return fmt.Errorf("oauth2 client_id must be configured")
}
if !c.OAuth2.ClientSecret.IsSet() {
return errors.New("either oauth2 client_secret or client_secret_file must be configured")
}
if err := validateSecret("oauth2 client_secret", c.OAuth2.ClientSecret, "client_secret_file", c.OAuth2.ClientSecretFile); err != nil {
return err
}
if len(c.OAuth2.TokenURL) == 0 {
return fmt.Errorf("oauth2 token_url must be configured")
}
if c.OAuth2.ClientSecret.IsSet() {
return fmt.Errorf("either oauth2 client_secret or client_secret_file must be configured")
}
}
return nil
}
// UnmarshalYAML implements the yaml.Unmarshaler interface
func (c *HTTPClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
type plain HTTPClientConfig
*c = DefaultHTTPClientConfig
if err := unmarshal((*plain)(c)); err != nil {
return err
}
if err := validateSecret("bearer_token", c.BearerToken, "bearer_token_file", c.BearerTokenFile); err != nil {
return err
}
c.BearerToken.SetFile(c.BearerTokenFile)
if c.Authorization != nil {
if err := validateSecret("authorization credentials", c.Authorization.Credentials, "credentials_file", c.Authorization.CredentialsFile); err != nil {
return err
}
c.Authorization.Credentials.SetFile(c.Authorization.CredentialsFile)
}
if c.BasicAuth != nil {
if err := validateSecret("basic_auth password", c.BasicAuth.Password, "password_file", c.BasicAuth.PasswordFile); err != nil {
return err
}
c.BasicAuth.Password.SetFile(c.BasicAuth.PasswordFile)
}
if c.OAuth2 != nil {
if err := validateSecret("oauth2 client_secret", c.OAuth2.ClientSecret, "client_secret_file", c.OAuth2.ClientSecretFile); err != nil {
return err
}
c.OAuth2.ClientSecret.SetFile(c.OAuth2.ClientSecretFile)
}
return c.Validate()
}
// UnmarshalJSON implements the json.Marshaler interface for URL.
func (c *HTTPClientConfig) UnmarshalJSON(data []byte) error {
type plain HTTPClientConfig
*c = DefaultHTTPClientConfig
if err := json.Unmarshal(data, (*plain)(c)); err != nil {
return err
}
return c.Validate()
}
// UnmarshalYAML implements the yaml.Unmarshaler interface.
func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error {
type plain BasicAuth
return unmarshal((*plain)(a))
}
// DialContextFunc defines the signature of the DialContext() function implemented
// by net.Dialer.
type DialContextFunc func(context.Context, string, string) (net.Conn, error)
type httpClientOptions struct {
dialContextFunc DialContextFunc
keepAlivesEnabled bool
http2Enabled bool
idleConnTimeout time.Duration
}
// HTTPClientOption defines an option that can be applied to the HTTP client.
type HTTPClientOption func(options *httpClientOptions)
// WithDialContextFunc allows you to override func gets used for the actual dialing. The default is `net.Dialer.DialContext`.
func WithDialContextFunc(fn DialContextFunc) HTTPClientOption {
return func(opts *httpClientOptions) {
opts.dialContextFunc = fn
}
}
// WithKeepAlivesDisabled allows to disable HTTP keepalive.
func WithKeepAlivesDisabled() HTTPClientOption {
return func(opts *httpClientOptions) {
opts.keepAlivesEnabled = false
}
}
// WithHTTP2Disabled allows to disable HTTP2.
func WithHTTP2Disabled() HTTPClientOption {
return func(opts *httpClientOptions) {
opts.http2Enabled = false
}
}
// WithIdleConnTimeout allows setting the idle connection timeout.
func WithIdleConnTimeout(timeout time.Duration) HTTPClientOption {
return func(opts *httpClientOptions) {
opts.idleConnTimeout = timeout
}
}
// NewClient returns a http.Client using the specified http.RoundTripper.
func newClient(rt http.RoundTripper) *http.Client {
return &http.Client{Transport: rt}
}
// NewClientFromConfig returns a new HTTP client configured for the
// given config.HTTPClientConfig and config.HTTPClientOption.
// The name is used as go-conntrack metric label.
func NewClientFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (*http.Client, error) {
rt, err := NewRoundTripperFromConfig(cfg, name, optFuncs...)
if err != nil {
return nil, err
}
client := newClient(rt)
if !cfg.FollowRedirects {
client.CheckRedirect = func(*http.Request, []*http.Request) error {
return http.ErrUseLastResponse
}
}
return client, nil
}
// NewRoundTripperFromConfig returns a new HTTP RoundTripper configured for the
// given config.HTTPClientConfig and config.HTTPClientOption.
// The name is used as go-conntrack metric label.
func NewRoundTripperFromConfig(cfg HTTPClientConfig, name string, optFuncs ...HTTPClientOption) (http.RoundTripper, error) {
opts := defaultHTTPClientOptions
for _, f := range optFuncs {
f(&opts)
}
var dialContext func(ctx context.Context, network, addr string) (net.Conn, error)
if opts.dialContextFunc != nil {
dialContext = conntrack.NewDialContextFunc(
conntrack.DialWithDialContextFunc((func(context.Context, string, string) (net.Conn, error))(opts.dialContextFunc)),
conntrack.DialWithTracing(),
conntrack.DialWithName(name))
} else {
dialContext = conntrack.NewDialContextFunc(
conntrack.DialWithTracing(),
conntrack.DialWithName(name))
}
newRT := func(tlsConfig *tls.Config) (http.RoundTripper, error) {
// The only timeout we care about is the configured scrape timeout.
// It is applied on request. So we leave out any timings here.
var rt http.RoundTripper = &http.Transport{
Proxy: http.ProxyURL(cfg.ProxyURL.URL),
MaxIdleConns: 20000,
MaxIdleConnsPerHost: 1000, // see https://github.com/golang/go/issues/13801
DisableKeepAlives: !opts.keepAlivesEnabled,
TLSClientConfig: tlsConfig,
DisableCompression: true,
IdleConnTimeout: opts.idleConnTimeout,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
DialContext: dialContext,
}
if opts.http2Enabled && os.Getenv("PROMETHEUS_COMMON_DISABLE_HTTP2") == "" {
// HTTP/2 support is golang had many problematic cornercases where
// dead connections would be kept and used in connection pools.
// https://github.com/golang/go/issues/32388
// https://github.com/golang/go/issues/39337
// https://github.com/golang/go/issues/39750
// Do not enable HTTP2 if the environment variable
// PROMETHEUS_COMMON_DISABLE_HTTP2 is set to a non-empty value.
// This allows users to easily disable HTTP2 in case they run into
// issues again, but will be removed once we are confident that
// things work as expected.
http2t, err := http2.ConfigureTransports(rt.(*http.Transport))
if err != nil {
return nil, err
}
http2t.ReadIdleTimeout = time.Minute
}
// If a authorization_credentials is provided, create a round tripper that will set the
// Authorization header correctly on each request.
if cfg.Authorization != nil {
// Backwards compatibility: if you don't call Validate first,
// these fields might not be correctly initialized.
cfg.Authorization.Credentials.SetFile(cfg.Authorization.CredentialsFile)
if _, _, err := cfg.Authorization.Credentials.Get(); err != nil {
return nil, fmt.Errorf("unable to retrieive authorization credentials: %w", err)
}
rt = NewAuthorizationCredentialsRoundTripper(cfg.Authorization.Type, cfg.Authorization.Credentials, rt)
}
// Backwards compatibility, be nice with importers who would not have
// called Validate().
cfg.BearerToken.SetFile(cfg.BearerTokenFile)
if cfg.BearerToken.IsSet() {
if _, _, err := cfg.BearerToken.Get(); err != nil {
return nil, fmt.Errorf("unable to retrieve bearer token: %w", err)
}
rt = NewAuthorizationCredentialsRoundTripper("Bearer", cfg.BearerToken, rt)
}
if cfg.BasicAuth != nil {
// Backwards compatibility: if you don't call Validate first,
// these fields might not be correctly initialized.
cfg.BasicAuth.Password.SetFile(cfg.BasicAuth.PasswordFile)
if _, _, err := cfg.BasicAuth.Password.Get(); err != nil {
return nil, fmt.Errorf("unable to retrieive basic authorization password: %w", err)
}
rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, cfg.BasicAuth.Password, rt)
}
if cfg.OAuth2 != nil {
// Backwards compatibility: if you don't call Validate first,
// these fields might not be correctly initialized.
cfg.OAuth2.ClientSecret.SetFile(cfg.OAuth2.ClientSecretFile)
if _, _, err := cfg.OAuth2.ClientSecret.Get(); err != nil {
return nil, fmt.Errorf("unable to retrieve OAuth2 client secret: %w", err)
}
rt = NewOAuth2RoundTripper(cfg.OAuth2, rt)
}
// Return a new configured RoundTripper.
return rt, nil
}
tlsConfig, err := NewTLSConfig(&cfg.TLSConfig)
if err != nil {
return nil, err
}
if len(cfg.TLSConfig.CAFile) == 0 {
// No need for a RoundTripper that reloads the CA file automatically.
return newRT(tlsConfig)
}
return NewTLSRoundTripper(tlsConfig, cfg.TLSConfig.CAFile, newRT)
}
type authorizationCredentialsRoundTripper struct {
authType string
authCredentials SecretLoader
rt http.RoundTripper
}
// NewAuthorizationCredentialsRoundTripper adds the provided credentials to a
// request unless the authorization header has already been set.
func NewAuthorizationCredentialsRoundTripper(authType string, authCredentials SecretLoader, rt http.RoundTripper) http.RoundTripper {
return &authorizationCredentialsRoundTripper{authType, authCredentials, rt}
}
func (rt *authorizationCredentialsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
if len(req.Header.Get("Authorization")) == 0 {
req = cloneRequest(req)
secret, _, err := rt.authCredentials.Get()
if err != nil {
return nil, err
}
req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, secret))
}
return rt.rt.RoundTrip(req)
}
func (rt *authorizationCredentialsRoundTripper) CloseIdleConnections() {
if ci, ok := rt.rt.(closeIdler); ok {
ci.CloseIdleConnections()
}
}
type authorizationCredentialsFileRoundTripper struct {
authType string
authCredentialsFile string
rt http.RoundTripper
}
// NewAuthorizationCredentialsFileRoundTripper adds the authorization
// credentials read from the provided file to a request unless the authorization
// header has already been set. This file is read for every request.
func NewAuthorizationCredentialsFileRoundTripper(authType, authCredentialsFile string, rt http.RoundTripper) http.RoundTripper {
return &authorizationCredentialsFileRoundTripper{authType, authCredentialsFile, rt}
}
func (rt *authorizationCredentialsFileRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
if len(req.Header.Get("Authorization")) == 0 {
b, err := ioutil.ReadFile(rt.authCredentialsFile)
if err != nil {
return nil, fmt.Errorf("unable to read authorization credentials file %s: %s", rt.authCredentialsFile, err)
}
authCredentials := strings.TrimSpace(string(b))
req = cloneRequest(req)
req.Header.Set("Authorization", fmt.Sprintf("%s %s", rt.authType, authCredentials))
}
return rt.rt.RoundTrip(req)
}
func (rt *authorizationCredentialsFileRoundTripper) CloseIdleConnections() {
if ci, ok := rt.rt.(closeIdler); ok {
ci.CloseIdleConnections()
}
}
type basicAuthRoundTripper struct {
username string
password SecretLoader
rt http.RoundTripper
}
// NewBasicAuthRoundTripper will apply a BASIC auth authorization header to a request unless it has
// already been set.
func NewBasicAuthRoundTripper(username string, password SecretLoader, rt http.RoundTripper) http.RoundTripper {
return &basicAuthRoundTripper{username, password, rt}
}
func (rt *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
if len(req.Header.Get("Authorization")) != 0 {
return rt.rt.RoundTrip(req)
}
req = cloneRequest(req)
secret, _, err := rt.password.Get()
if err != nil {
return nil, fmt.Errorf("unable to read basic auth: %s", err)
}
req.SetBasicAuth(rt.username, strings.TrimSpace(secret))
return rt.rt.RoundTrip(req)
}
func (rt *basicAuthRoundTripper) CloseIdleConnections() {
if ci, ok := rt.rt.(closeIdler); ok {
ci.CloseIdleConnections()
}
}
type oauth2RoundTripper struct {
config *OAuth2
rt http.RoundTripper
next http.RoundTripper
secret string
mtx sync.RWMutex
}
func NewOAuth2RoundTripper(config *OAuth2, next http.RoundTripper) http.RoundTripper {
return &oauth2RoundTripper{
config: config,
next: next,
}
}
func (rt *oauth2RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
secret, changed, err := rt.config.ClientSecret.Get()
if err != nil {
return nil, fmt.Errorf("unable to read oauth2 client secret: %s", err)
}
secret = strings.TrimSpace(secret)
if changed || rt.rt == nil {
config := &clientcredentials.Config{
ClientID: rt.config.ClientID,
ClientSecret: secret,
Scopes: rt.config.Scopes,
TokenURL: rt.config.TokenURL,
EndpointParams: mapToValues(rt.config.EndpointParams),
}
tokenSource := config.TokenSource(context.Background())
rt.mtx.Lock()
rt.secret = secret
rt.rt = &oauth2.Transport{
Base: rt.next,
Source: tokenSource,
}
rt.mtx.Unlock()
}
rt.mtx.RLock()
currentRT := rt.rt
rt.mtx.RUnlock()
return currentRT.RoundTrip(req)
}
func (rt *oauth2RoundTripper) CloseIdleConnections() {
// OAuth2 RT does not support CloseIdleConnections() but the next RT might.
if ci, ok := rt.next.(closeIdler); ok {
ci.CloseIdleConnections()
}
}
func mapToValues(m map[string]string) url.Values {
v := url.Values{}
for name, value := range m {
v.Set(name, value)
}
return v
}
// cloneRequest returns a clone of the provided *http.Request.
// The clone is a shallow copy of the struct and its Header map.
func cloneRequest(r *http.Request) *http.Request {
// Shallow copy of the struct.
r2 := new(http.Request)
*r2 = *r
// Deep copy of the Header.
r2.Header = make(http.Header)
for k, s := range r.Header {
r2.Header[k] = s
}
return r2
}
// NewTLSConfig creates a new tls.Config from the given TLSConfig.
func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) {
tlsConfig := &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify}
// If a CA cert is provided then let's read it in so we can validate the
// scrape target's certificate properly.
if len(cfg.CAFile) > 0 {
b, err := readCAFile(cfg.CAFile)
if err != nil {
return nil, err
}
if !updateRootCA(tlsConfig, b) {
return nil, fmt.Errorf("unable to use specified CA cert %s", cfg.CAFile)
}
}
if len(cfg.ServerName) > 0 {
tlsConfig.ServerName = cfg.ServerName
}
// If a client cert & key is provided then configure TLS config accordingly.
if len(cfg.CertFile) > 0 && len(cfg.KeyFile) == 0 {
return nil, fmt.Errorf("client cert file %q specified without client key file", cfg.CertFile)
} else if len(cfg.KeyFile) > 0 && len(cfg.CertFile) == 0 {
return nil, fmt.Errorf("client key file %q specified without client cert file", cfg.KeyFile)
} else if len(cfg.CertFile) > 0 && len(cfg.KeyFile) > 0 {
// Verify that client cert and key are valid.
if _, err := cfg.getClientCertificate(nil); err != nil {
return nil, err
}
tlsConfig.GetClientCertificate = cfg.getClientCertificate
}
return tlsConfig, nil
}
// TLSConfig configures the options for TLS connections.
type TLSConfig struct {
// The CA cert to use for the targets.
CAFile string `yaml:"ca_file,omitempty" json:"ca_file,omitempty"`
// The client cert file for the targets.
CertFile string `yaml:"cert_file,omitempty" json:"cert_file,omitempty"`
// The client key file for the targets.
KeyFile string `yaml:"key_file,omitempty" json:"key_file,omitempty"`
// Used to verify the hostname for the targets.
ServerName string `yaml:"server_name,omitempty" json:"server_name,omitempty"`
// Disable target certificate validation.
InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"`
}
// SetDirectory joins any relative file paths with dir.
func (c *TLSConfig) SetDirectory(dir string) {
if c == nil {
return
}
c.CAFile = JoinDir(dir, c.CAFile)
c.CertFile = JoinDir(dir, c.CertFile)
c.KeyFile = JoinDir(dir, c.KeyFile)
}
// UnmarshalYAML implements the yaml.Unmarshaler interface.
func (c *TLSConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
type plain TLSConfig
return unmarshal((*plain)(c))
}
// getClientCertificate reads the pair of client cert and key from disk and returns a tls.Certificate.
func (c *TLSConfig) getClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
if err != nil {
return nil, fmt.Errorf("unable to use specified client cert (%s) & key (%s): %s", c.CertFile, c.KeyFile, err)
}
return &cert, nil
}
// readCAFile reads the CA cert file from disk.
func readCAFile(f string) ([]byte, error) {
data, err := ioutil.ReadFile(f)
if err != nil {
return nil, fmt.Errorf("unable to load specified CA cert %s: %s", f, err)
}
return data, nil
}
// updateRootCA parses the given byte slice as a series of PEM encoded certificates and updates tls.Config.RootCAs.
func updateRootCA(cfg *tls.Config, b []byte) bool {
caCertPool := x509.NewCertPool()
if !caCertPool.AppendCertsFromPEM(b) {
return false
}
cfg.RootCAs = caCertPool
return true
}
// tlsRoundTripper is a RoundTripper that updates automatically its TLS
// configuration whenever the content of the CA file changes.
type tlsRoundTripper struct {
caFile string
// newRT returns a new RoundTripper.
newRT func(*tls.Config) (http.RoundTripper, error)
mtx sync.RWMutex
rt http.RoundTripper
hashCAFile []byte
tlsConfig *tls.Config
}
func NewTLSRoundTripper(
cfg *tls.Config,
caFile string,
newRT func(*tls.Config) (http.RoundTripper, error),
) (http.RoundTripper, error) {
t := &tlsRoundTripper{
caFile: caFile,
newRT: newRT,
tlsConfig: cfg,
}
rt, err := t.newRT(t.tlsConfig)
if err != nil {
return nil, err
}
t.rt = rt
_, t.hashCAFile, err = t.getCAWithHash()
if err != nil {
return nil, err
}
return t, nil
}
func (t *tlsRoundTripper) getCAWithHash() ([]byte, []byte, error) {
b, err := readCAFile(t.caFile)
if err != nil {
return nil, nil, err
}
h := sha256.Sum256(b)
return b, h[:], nil
}
// RoundTrip implements the http.RoundTrip interface.
func (t *tlsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
b, h, err := t.getCAWithHash()
if err != nil {
return nil, err
}
t.mtx.RLock()
equal := bytes.Equal(h[:], t.hashCAFile)
rt := t.rt
t.mtx.RUnlock()
if equal {
// The CA cert hasn't changed, use the existing RoundTripper.
return rt.RoundTrip(req)
}
// Create a new RoundTripper.
tlsConfig := t.tlsConfig.Clone()
if !updateRootCA(tlsConfig, b) {
return nil, fmt.Errorf("unable to use specified CA cert %s", t.caFile)
}
rt, err = t.newRT(tlsConfig)
if err != nil {
return nil, err
}
t.CloseIdleConnections()
t.mtx.Lock()
t.rt = rt
t.hashCAFile = h[:]
t.mtx.Unlock()
return rt.RoundTrip(req)
}
func (t *tlsRoundTripper) CloseIdleConnections() {
t.mtx.RLock()
defer t.mtx.RUnlock()
if ci, ok := t.rt.(closeIdler); ok {
ci.CloseIdleConnections()
}
}
func (c HTTPClientConfig) String() string {
b, err := yaml.Marshal(c)
if err != nil {
return fmt.Sprintf("<error creating http client config string: %s>", err)
}
return string(b)
}